SSL Certificates: How To Select The Right SSL Certificate For Your Online Store
November 9th, 2007If you own an online store or shopping cart and you transmit personal information from your customers, you need to encrypt that information using an SSL certificate. But there are so many choices that vary wildly in cost, how does an online store owner know which one to choose?
First, it’s important to understand what an SSL certificate does. SSL certificates have two main purposes: 1. to encrypt the transmitted data flowing (128 bit encryption is recommend for ecommerce) between the customer’s browser and the server, and 2. to identify the online store. SSL certificates have varying levels of owner authentication (less expensive ones can be done online, others require a phone call, others require more formal business documentation). SSL certificates also vary in the warranty they provide you and your customers customers against loss. SSL certificates have a third non-techincal purpose, which is to convey a level of trust and security to increase shopper confidence in your online store. (Here’s an excellent article by VeriSign on SSL and buyer confidence.)
I’ll list just two of the SSL certificates that I’m familiar with and that my hosting company, who I do trust, is familiar with. (Read about what my hosting company, DreamHost, says about SSL certificates.) If you are not using DreamHost, then you may be able to purchase an SSL directly from your hosting company – but ask them who they are really using (for example, when I asked Aplus.net, they said their SSL certificates are actually Comodo).
GeoTrust and VeriSign SSL Certificates
GeoTrust and VeriSign are classified as “expensive” and “very expensive” by DreamHost. GeoTrust 256 bit SSL certificates run from $249 – $1499 per year (go here to see a comparison chart of GeoTrust SSL Certificates). VeriSign SSL 128 bit certificates run from $999 – $1499 per year (go here to use the VeriSign SSL Selection wizard or here to see a comparison chart for VeriSign SSL Certificates). Note the different methods of authentication, different warranties, and different website seals. Both GeoTrust and VeriSign are widely known and respected and GeoTrust is the “recommended” SSL certficate by DreamHost.
GoDaddy is classified as “very cheap” by DreamHost. GoDaddy SSL cerficates run from $19 – $499 per year (go here to see a comparision chart of GoDaddy SSL Certificates – click on “certificate features” tab at the bottom). Note the warranty, verification process, and site seals.
Which Is Best For My Online Store?
Let’s look at some of the differences between two extremes of cost: GeoTrust and GoDaddy SSL certificates.
That little padlock icon or “https”: Generally speaking, all SSL certificates will make your customer’s browser have that little padlock icon that tells them they’re on a secure site and change the URL to “https”. But not all SSL certificates are compatible with all browsers. Both GeoTrust and GoDaddy claim to be compatible with 99% of all modern browsers. Check your SSL’s claim to browser compatibility to make sure your customers get that little padlock icon.
SSL Warranty: GoDaddy’s current SSL warranty is $2000, while GeoTrust warranties run from $10,000 to $250,000. Obviously, the bigger warranty is better, because if someone manages to steal your customer’s credit card info, that could run up quite a big bill. Here’s a link to GeoTrust’s legal documents – the SSL warranty details are at the bottom under “Protection Plan”. However, if you’re using PayPal Website Payments Standard to process your payments, this means that you are only sending customer name/address info, and so your risk should be lower than if you were using PayPal Website Payments Pro and sending the credit card info. Assess your own risk and what you can afford, just like when you buy insurance.
SSL Site Seal: Site Seals are intended to inspire buyer confidence in your online store. Obviously a GeoTrust seal is going to inspire more confidence than an GoDaddy seal, but this is hard to quantify. Some seals actually show your store’s authenticated name, others give pop-up boxes with other authentication info. Many of my clients who purchase GeoTrust display their seals on every page of their online stores, while many of my clients who purchase GoDaddy SSL’s choose NOT to display the GoDaddy seals. Notice who and who doesn’t display a SSL seal as you do your online shopping. Even Charles Schwab displays their VeriSign SSL seal on their client login page.
Bottom line:
Buy the very best SSL your budget can afford to protect your business and your customers.
(GeoTrust, VeriSign, GoDaddy, and PayPal are all registered trademarks of each of those companies, respectively.)
Jill--------------
J. Olkoski
Aldebaran Web Design, Seattle
Jill Olkoski has a BS in Engineering, a BS in Computer Science and an MA in Clinical Psychology. She delights in using her advanced technical and psychological skills to help small business owners develop cost-effective and successful websites.
May 13th, 2009 at 11:14 pm
I’m now choosing the right SSL provider for my company’s Exchange 2007 Server, purpose only for Webmail and the Pushmail, so I think Godaddy is already good enough, right?
May 14th, 2009 at 9:51 am
Hi Harris,
I’d think so. I guess my opinion would be different if you told me that you were emailing medical records or financial records – the more sensitive the information, the more protection you might need. It’s really hard to figure out how much less secure a particular GoDaddy SSL might be versus a particular GeoTrust SSL. For my ecommerce clients, I usually recommend GeoTrust, because they’re a large company and credit card numbers are super sensitive. But you’d have to think about the worse case scenario in terms of data from your company getting out, and if the consequences are fairly minor, then maybe GoDaddy is fine.
June 1st, 2009 at 2:20 pm
I found this site while searching for “which SSL cert is the best”. I have used Comodo for a number of years, but my client is brand-agnostic but wants to be like their competitors who have certs from Verisign and Thawte. I think there’s a lot to be said for name recognition.
For example, all the banks and CC companies I use have Verisign on their sites, which likely builds the perception that it’s better than others because XYZ bank uses it. Name recognition effects consumer behavior, and, of course, every cert vendor has some information on their site that talks about how the display of their cert badge on a site improves sales by some percent or whatever. This adds yet another variable to the mix when evaluating vendors.
June 1st, 2009 at 2:24 pm
Hi Demtron,
I agree completely. Recently, DreamHost stopped selling GeoTrust SSL certificates, and when all of my clients come up for renewal, I’ve been advising them to renew with GeoTrust, versus purchasing the DreamHost generic ones. I agree that seeing logos from widely regarded companies such as GeoTrust or Verisign, it does carry with it the perception of safety. I too see Verisign on the various firms I do online business with, and feel good when I recognize the logo. So I do think that using a “well known and trusted” SSL certificate does add some level of implied trust to shoppers – and I’d think that it would be worth the extra cost to a website owner. Completely agree!
July 10th, 2009 at 11:39 am
Guys, SSL certificates are all using the same technology, so a 128-bit cert is a 128-bit cert, regardless of provider. There is no such thing as a “more secure” 128-bit certificate, other than the initial verification process while you are signing up. In other words, the price difference is mostly a marketing issue and not a security issue.
If your customers recognize Verisign or GeoTrust seals (or the silly and somewhat insignificant “green address bar”) and thereby trust your site more because of it, then that’s a legitimate reason to purchase. But its a marketing reason, that’s all. If customers don’t recognize the site seal or perceived security difference, the extra cash is essentially a waste of money. The only other considerations are chained vs root certs, which affect setup. As far as warranties/insurance, good luck ever proving that SSL was the cause of a security hole, as 128+ bit keys are virtually bulletproof (security breaches are caused by something other than SSL failure). Again, mostly marketing than actual protection. Hope this helps…
July 12th, 2009 at 10:32 am
Hi Bob,
I’m assuming your “guys” also includes the “gals” that are posting here on my blog. I’d be curious to get your references (feel free to post links) that verify your claims that all 128 bit SSL certificates are identical. Most SSL providers now only provide 256 bit, Many other folks who have posted have already talked about the value of having a widely recognized seal, and I don’t think that spending an additional $100 or $200 a year to add a seal that might increase sales is a bad idea or a “waste of money”. Many of my clients can make up that cost on a single purchase over the course of a year – if a single person makes a purchase based on the recognized seal, then the “waste of money” argument disappears. Small business owners spend thousands and tens of thousands of dollars in marketing and advertising. Spending a little more to help an online store look more secure is well worth it and what I recommend to clients. Getting the cheapest SSL certificate is not always the best overall business decision.
I’ll also add, that in addition to getting a widely recognized site seal, different SSL companies have very different steps necessary to get the SSL set up and installed. They also have very different levels of customer support. I’ve have excellent results with GeoTrust because of their instant online chat service – can help you with any issues immediately and they will verify the installation is correct when done. This is another reason that I always recommend GeoTrust to my clients.
September 27th, 2009 at 8:02 pm
Hi Jill.
I’m still waiting for some review of other certificate providing companies. Thawte, Globaltrust et all. How do they stack up? And bob raised eye brows. What is the real, real difference between 128 verisign and equivalent from my creation
September 27th, 2009 at 9:43 pm
Hi Musah,
I honestly don’t know about the other companies. I’m also not a SSL expert – so I can’t answer your other question. Not much help I’m afraid. But I do trust GeoTrust and Verisign because institutions that I trust use them, and that’s what I base my opinion on.
February 11th, 2010 at 7:59 am
Bob’s is right in the sense that all 128-bit (or 256-bit, or whatever) SSL certificates accomplish the same task: they allow an SSL connection to be established at a certain level of encryption.
Otherwise, it’s just a question of trust. As a comsumer, do I trust Random Store’s SSL cert if it comes from GoDaddy more or less than I would trust Random Store’s SSL cert if it comes from Verisign?
And only if it were that simple. Each SSL provider offers levels of authentication. The EV option (gets you that snazzy green address bar) costs a bundle, but the SSL providers claim that confirm that the SSL certificate holder is, in fact, who they say the are.
Finally, no matter what SSL cert you have, all you’ve done is, at most, confirm that you are a real entity, with a real identity, and that the SSL cert is connected to it. Nothing more.
Finally, finally, you should care more about what browsers/devices will work with your SSL cert. Will your iPhone recognize it? Will your 3-year-old version of Firefox?